Re: Challenge/response questions?

[Ken Connelly <Ken.Connelly () UNI EDU>]

How close does something like:   wmic useraccount where "domain=foobar"

come to getting what you want?

-ken

Leon DuPree wrote:
> Does anyone have  sample script for Active Directory that would list
> users and rights?
>
> Be great if I could get some kind of error handling with it in case it
> does not work on a server.
>
> Let me  know if you have any questions why? (I am not interested in
> rinventing the wheel :)
>
>
> Leon DuPree
> University of Michigan
> LSA Intern
>
>
>
>
> On Mon, Apr 13, 2009 at 12:23 PM, Schumacher, Adam J
> <ADAMSCHUMACHER () creighton edu <mailto:ADAMSCHUMACHER () creighton edu>>
> wrote:
>
>     We use security questions plus having access to a secondary email
>     account or
>     cellphone capable of receiving text messages to reset passwords.
>      We provide
>     15 possible questions to choose from, of which they must select
>     three (and
>     answer a random selection of 2).
>
>     Best practices for questions would involve things that aren't
>     likely to
>     change over time (excludes "whats your favorite _____?" type
>     questions),
>     things that aren't too easy to guess or find out, and have high
>     entropy
>     (lots of possible answers).
>
>     Some examples of decent questions might include:
>     What is your oldest sibling's birthday?
>     What is the address of the first house you lived in?
>     What hospital where you born at?
>     What was the color of your first car?
>     What was the make/model of your first car?
>
>
>     On 4/10/09 12:57 PM, "Witmer, Robert" <r.witmer () SNHU EDU
>     <mailto:r.witmer () SNHU EDU>> wrote:
>
>     > There must be a better way!  We have a customized single sign on
>     solution and
>     > are looking at self service password resets from a web page.
>      Everything after
>     > authentication has been worked out.  Currently we are thinking
>     of using
>     > challenge/response type questions to verify account ownership.
>      However,
>     > either most of the information is available on line (mother's
>     maiden name =
>     > genealogy sites) or includes personally identifying information
>     (SSN last 4)
>     > that we don't collect and don't want to use.
>     >
>     > Anyone have a better idea?  If not, anyone have better
>     challenge/response
>     > questions?
>     >
>     > Regards,
>     > Bob
>
>     sha1(
>
>     Adam Schumacher
>     Information Security Engineer
>     Creighton University
>
>     Don't share your password with ANYONE, EVER.  This means YOU!
>
>     402-280-2383
>     402-672-1732
>
>     )
>
>     = 1a72637cf94189654ab1a827520a5e41738f41b0
>
>
>
>
> --
> EIM Consulting
> PO Box 320822
> Flint Township, MI 48532
> Leon DuPree B.S MBA
> Chief Security Consultant
> Phone: 810-569-6427
> Fax: 270- 447-3872

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373